Talk:Using SSH Passphrases

From LSDevLinux
Revision as of 10:14, 11 May 2007 by Mayhewn (talk | contribs) (Fix comment times)

Jump to: navigation, search

An alternative would to be to use authentication keys (see man ssh-keygen). This means that a “secret” key is stored on your computer along with a corresponding public key. On other computers that you ssh to you put public key in ~/.ssh/authorized_keys(2). Now ssh should never require a password. Of course, this solution means that if anyone obtains your secret key all the computers are compromised. But it’s probably simpler to set up.
--Jonathan Hunt 18:27, 8 May 2007 (MDT)

We are already using authentication keys. The "passphrase" I am talking about here is the one used to protect the key itself, not the one used to log into the remote account. This means you have to give the passphrase whenever you want to use the key. This is much more secure than using an unprotected key, and we encourage our users to take this approach whenever possible.

Using a key passphrase might seem pointless, since you could just as well use the remote account password instead, but there are several advantages. One is that the password never travels over the wire. Another is that you can disable password access via ssh altogether on the remote machine, so that no-one can hack in without a key. A third is that setting up accounts is much safer, since instead of somehow communicating an initial password to a new user, they send you the public part of their key. Finally, by using ssh-agent, you set things up so that you only have to give the key passphrase once, for example at login, and so it can be a much longer string. The unprotected key is cached in memory, but never on disk.

This page is about how to set up this scenario so that you can give the passphrase once, via the GUI, at login.
--Neil 10:34, 10 May 2007 (MDT)